Malware Analysis Report

2025-01-18 22:15

Sample ID 240429-y3l2jsbe48
Target 359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903
SHA256 359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903

Threat Level: Known bad

The file 359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903 was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

UPX dump on OEP (original entry point)

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

Sets service image path in registry

Drops file in Drivers directory

UPX packed file

Modifies system executable filetype association

Enumerates connected drives

Modifies WinLogon

Installs/modifies Browser Helper Object

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-29 20:18

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 20:18

Reported

2024-04-29 20:21

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2924 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2924 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Windows\SysWOW64\reg.exe
PID 2924 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Windows\SysWOW64\reg.exe
PID 2976 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2976 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2976 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2976 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2708 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2708 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2708 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2708 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2624 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2624 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2624 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2624 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2400 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2400 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2400 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2400 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2888 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2888 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2888 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2888 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2344 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2344 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2344 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2344 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2524 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2524 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2524 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2524 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1852 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1852 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1852 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1852 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 924 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 924 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 924 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 924 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 360 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 360 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 360 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 360 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 632 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 632 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 632 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 632 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2824 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2824 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2824 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2824 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2432 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2432 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2432 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2432 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

Processes

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

"C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe"

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/2924-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-1-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-6-0x00000000001B0000-0x00000000001E0000-memory.dmp

memory/2924-12-0x0000000000400000-0x0000000000430000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2708-9-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 fd7d221e343a8015dac97d0a01ba6119
SHA1 41b70be8925e9e7b865e1d0f9ce9b9884bf7f9d6
SHA256 0cafdcb51df7af6fb8f2864f215e76954e988f83704a9e72f33a2f64dcdfee13
SHA512 edf50aa055692d1d63c3f90b539c0924d5daa9d78b1fe6ab3330df9bf376de17316ec1ce92db9286456c6060c5d9250ad77fb672457e38e8b5068c206a442bd6

memory/2976-13-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e9c9ff612a956ccf9889e1f49cbae534
SHA1 71a98428517511c0fc33ed0221b6b4f4d8500f39
SHA256 f1ea217e99c2f0e6ca1b1f8029672cbbac1bcdfb83631cf852ecf3e658f004ef
SHA512 245be445d5e128c97eb0ffc5b22e742e3fe3ada7811aa6393b2192281c48bf575d21a56f194b6a0f4addd884a529679d280af3c6a85f60ee029a757ab9525b20

C:\Windows\SysWOW64\drivers\spools.exe

MD5 62fd6b08f9eb0a4be335352b12581048
SHA1 196f521ee15b7dbbeeedc0c72759f45af3056313
SHA256 33eb97d4fe6a1d9a932327bc413b8ee20e3fdfb1ba089cd7c24b66d564a10f00
SHA512 95517a6500c2aec5497d660c09829bd1c3eccc7fbbed46656987cd90159dee712ad931929e05049b811f45e0bef27c35964d9c02e497ce4820f52463fb1e78a1

memory/2624-22-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2708-21-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2708-20-0x00000000004E0000-0x0000000000510000-memory.dmp

memory/2400-28-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2624-27-0x00000000003B0000-0x00000000003E0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 829f41d93fe946cf987f6b352f40f677
SHA1 61172bfb54f0dca9a153e6eec8a078ab849ca419
SHA256 5d4a1e32873706242a184084a1d5744499930e298a6c7b2a0a89e9eae8c3d68f
SHA512 5c6858e2f5dda28d5f05198fd946a036229d0905dbc8356d881e835f269f8fc393468bf8cb8989f07c710c6ee596cfe507fda5c0a8f44813a6e28e2fea152674

memory/2624-32-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6037d3bad01a92dfd1a296de6a78d4c3
SHA1 09f4b758bfaa149f3a7759a735bd4566073b24a1
SHA256 7fd5fc57c8c2369d4a900e70b0053242c41a3301ec50d3455b964d82e0015b6f
SHA512 7ea4368bd7e8f044dd73484e1bd3afc1e696cbf51bd60ce7597b5fe339c75fde74bc9f74e5f33fbc4f22f773be3849ae5ec3f067ff39dfafd28c9d749237b9e7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9daef3bb7280fca3e358ae1d0c049c28
SHA1 cbcf1ada15e5a0a82ab85ae7e6ad09019a4cd3d7
SHA256 90fe54772e3db733588459d39fa9500ec591ef701e0f806dbb9f8dac14e6358e
SHA512 a8636a38fba5c7cb967af799d8b5c070ad9d99b5a74eeca14b5e774d638c791f483b0d23861e09a230e170f49129b062c539af76afd53fb3b060fb261263c9db

memory/2400-40-0x0000000001CE0000-0x0000000001D10000-memory.dmp

memory/2888-41-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2400-43-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e4755c72749fe34621ecec4b850403be
SHA1 bba827605ed1403e7aa2ccb26a15f467b51b86fe
SHA256 40d77b88d743ddb04b6818b844ae16413b3e2bd562b59e3f9d169618c052d925
SHA512 8c1f5bbc1d5b3222dcb30bd3e930438047a38df514850f73d1f88e2cdf8a0e88dbd6bac2199783c1679c3969b410f742db74d7cc1018439fd7226bfec96a6eee

C:\Windows\SysWOW64\drivers\spools.exe

MD5 35149f7267c7e4c5b4287f54f0d84b44
SHA1 9a467b3cf916fc3ed3d49d2b1f48240500a2329f
SHA256 502d959ca9bbf686332d7c8c6293bfefb360b34b4ee943ce5826b993a34fd30b
SHA512 b9109b7731be11e1f5d69f5ed165173b64121fdcfad5684159b439d67604302b1b12c4bae3e46a7ad88b1920184c26de5f0f332343c8b92e007cee840801d310

memory/2344-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2888-50-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4d9b4815f44480b0c65a0fc4a5dd0792
SHA1 5f2e8adc997700b4d99de74970b11dc70ac1aca6
SHA256 9008208216ac6c0ecb3f02395688bc1365e8f937dab4b991870dd327fadf9d60
SHA512 d5c4693b1535bdfd388e613bb795834ff25b13020201b7acc1dae325fd8057f68d712a7e58e6c70dbd4817c793ea37428b9743bd8f6bdb6f192e3715cc67fc92

memory/2344-61-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2524-58-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e991f3ee5fcd75f0c78962fb0900e4d0
SHA1 4b18600bc8100ef48d0dabb2a894cdc090ea44c9
SHA256 bf5b7929456a256de4079ee280f7b1b203248acc3717a4bdb7719f3cecb0cb66
SHA512 18884a1ade2c795ddcadaad073ed1c6fc44c73dc0e3a9e90584465a29cf0869d8d1413e9239b8f76395ef96a812ad50bfaf8a6489affafdf71237201a0549f41

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f6e52ddd85a1de01a064846345746646
SHA1 c79d20b01b2f49705d59ece048763cc745fc1ded
SHA256 2e35febbdde317c569835a4aed6d01bcc1f8bf8c023e5a8b7374647d9817e374
SHA512 11dbf882bd6f81fb8025a32842a0de9b7b662dafd610bdf6a5b25791e3b1445a8b5a4f3fbb41fca83b7c627ec2e861163cb0802179b5b107b9e33701bb6f4b45

memory/1852-70-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2524-69-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2524-68-0x00000000003C0000-0x00000000003F0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0a4a83fb4c76fef942118bcea2ea4c57
SHA1 0f50e8bba1214de32414186f3fef78c0dd85d24e
SHA256 46716d9fc678e239981fe1963576d3a77adbe4adaacfdb7920c88bf1cc8df00b
SHA512 f20da3eeb437800295fcadc428e06110bcdc064d92341305881cef625113022e009535de85144b9178c96ae4d0be0dcdd4c3e228043d45e1172548f9dfa9c798

memory/924-78-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1852-81-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1852-77-0x00000000002A0000-0x00000000002D0000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c0772025641b0044c9b0999d12fea0c9
SHA1 751a8dcad772c2fa6476e10da604728155e19a8b
SHA256 3c77dfcfe89a7d77de59a05a3646bf50ae2a5c9801264b5fa23bd9870b25e7ab
SHA512 cf8e89fe6674e07dacd74fb245b75578cc8a32c42d61e25379deb2a38ca5b7b51adef86076249e7a2bd6f811e2007082afbfef370a85d7d90c387a4bae9b4406

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7d212259b696e7662ec49c190b920277
SHA1 f2a8253b43d5042dee1edb12520dd76521800586
SHA256 cdbfc7eee0fc54d811ce2a257ee07b10f37825f11f2101293120fad97da91964
SHA512 1ad6849048c31983e90d5c08d9599708677bc2147f4dafb50af934c6f974994cf7af4ff4ef7e6f44e75ebd0c4589e497e4c80432bb3de9c9e2f352f10a9c2767

memory/924-86-0x0000000000430000-0x0000000000460000-memory.dmp

memory/360-89-0x0000000000400000-0x0000000000430000-memory.dmp

memory/924-90-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 81c521bc22c1d421aa7d7b3cd4533b63
SHA1 249b2664c096b92f4208c21c9d29b39961746a83
SHA256 b69e31fadd8ad2ca4aec8c5d811ceeaffecc5ea01be6b308aa8be1c794720b05
SHA512 56e2fa9e78616845186146b8d80a9ebdd61fe77dde4787ac4e52f136b0faff764e28bd01e01a9ea0f50da0889b865556574fe85763850e595504944e91fde171

memory/360-99-0x0000000000400000-0x0000000000430000-memory.dmp

memory/632-100-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0b738234068c542c939404dd00da14f5
SHA1 2991ad52a82bf9d42c6d2cefccb928f6c6ca2bce
SHA256 6068bd87ab533261160da136a97e17153884283377dda1e9dcfb26a2d9c2b865
SHA512 df77f25ac2b7ab9ccc9ba63aecef6b9ef07e707187e7c39b9591b6a7a9f2cbe7148df757c245ff21011614944b916ed1ab9f3bc0a0877d30d2a94742c31c4b63

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a023b57a090304eb0a7c78d1dc7c2b24
SHA1 64c9d52b551cf15f4399ebd025f9b0f01cdcba82
SHA256 7dd261d3a1a2e49db40a35e96be0008172b1c2b014c36dbe643a5b7bfcacf2a6
SHA512 858e5addc927f7f4ce91376b4b534fe499a8189b42e925e3da5b3b77ea7d84e330e110d07f3f5bed0c014f99d496165e06a09f0cbf341473642171ed0df782ed

memory/632-109-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a7122dc0b16f1641d6f99f4902a138a6
SHA1 6099bf55a4e55c2b56276122392fa54f4b7a6fe4
SHA256 a03fb14042da0f372ae4850a59c535b6a51d01f6f0312d57d37604c0bfb1e901
SHA512 28200c9ef4b13f0b4f6f4ac78ff76ff3cb3c657371d9032c755216343dea5d6dc6be98d71acbdc1de67ff26042fbb91dffa3c16a27fe1522788dea9c3ffae975

memory/588-115-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cabbc157f46ca5363476b44fef7ea3b6
SHA1 3d7390fe187f948da28689ae417e91bcde51fdc6
SHA256 86adad3dd1ad19957fc40110a264a2110deb1e34e992c48c2982b2a62a8176f0
SHA512 ae6114cc02ebc8b928d72090b396849a2e138546685ae546ad0a50c858b4086fdafe28a46fad217dd89bedcab017e4c47982d61796b04f3d7288bf7bfe8bee66

memory/2824-119-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3965269d2178adf74948151f5ed0de41
SHA1 a194d9271abd878ffa2993753e5b676a83095f29
SHA256 234937a281073748bd22448e547fc376bfdb56b8c8136f3f178bc23c6cf7ded3
SHA512 29e4b4833fc07173cc229023ea52bd4859b1e6d4b67a12093cf8769e07cb24df092574e1a2603b5971868703051a0ae11a3714f93f201739e7e4ef05d8d60cfc

C:\Windows\SysWOW64\drivers\spools.exe

MD5 da26a69b4c2ca6e660b25fdd6a579646
SHA1 e66b8575a0d6dfd55e96ad25d6c0b84efba1f7dc
SHA256 654b73f5533782c23de27f06dc26174808d992d01e2fdcf598b9271df1252e53
SHA512 cfb2db32822b9f2a548ae0a761b2886b80ce7c5cd63265639f4b1e4ad86ec17facedfbdb695e5c030cee98dab1c0b78369c4e88daf14285ea32b58669321c6fb

memory/2432-127-0x0000000000400000-0x0000000000430000-memory.dmp

memory/588-129-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 367086ff765c45bd42728d494214caa1
SHA1 2746fcbc1f38b0a888b8857968e53f8a08fc131b
SHA256 25536f8aa0452255961735d600222b0e4a3c546f08c39d862ddcfc11431f42f4
SHA512 071aeee9bfdc6e8ce1d08f0a7cc924444d71f4afb797d0b3a21ff0cf1bac7e7c79a68adfaab0791b4c3f5421c02afbae44dfc0c150567e8a65cc26c5b55b3869

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7412c43914d76840319604e94014bb5b
SHA1 7c5549eee323b860a35c95e177a04c07e442939a
SHA256 62934952d371e1bc166d03f5bbf0a55613f595c6f67d0d58f4f41ef86a19a6cf
SHA512 122e9007b7a0f4cfa3f2b1e0b92d86695925f887a14e4c93ea733dc6716fd4ea707858a22d3f5380e6170371f50a99ab533154bbaaef6bb658edfc8f892a57f1

memory/2432-135-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/2432-139-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c0274ca43912187b37f93b991b75489e
SHA1 9bfcacd8db930b1a7dbb948243bb89426d150843
SHA256 7d26fdbdfbe6d3754b53fbfde5f85f3194150f39d2e321b93747692fdb61fd3d
SHA512 bffbf6625d40a31adcfb51940cd0a9c9d6fc4ff4641b6e766294cb793f38d9aa5abd05ac20ac340336f9eeba0f7558189547219e619d60e11d845b2de04d7ee0

memory/544-145-0x0000000001BC0000-0x0000000001BF0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 238e71aa794d134b87c6e21cb11e47ef
SHA1 0679ebe2c1b0a05bef7fe4164a9b31b019be116b
SHA256 4b25833dba0d6b9716ebf0648bb24d41bcd6f1651051932ff82a15aa1e75e362
SHA512 cd73bc7914326e7f5c5b7645943562be36f46d1279f507942330846294c7b0aa33d3184c4e696890ecf1c80e074973e7f22b7a8690c246d11649d5a9874465c4

memory/544-149-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d0574a78147a255c257d095543de1c0d
SHA1 1688843f417413817980dae014ac88168138a4b9
SHA256 508ddde390db327c67cc656adde490c4cab15e4bcc06a6d8f293e254a23d5e7c
SHA512 ec1d78c4e97b6391b4b323de7f042e3d074d6bd5928a5ed5ac3f2202d092d466a0b2f0c973d1555524cfbfe8b41d1c6cdafc48c2d3721092d1f353679d6ecee6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d63ef38ec7ffabb91035e168e665fa3d
SHA1 a8b12e11ef1f4130c3f61ffc83aeb30e734c6dc2
SHA256 7cee57e901b17c81f22f71a5e2d8c28188219bbf17d52f123a50299c76b49d5f
SHA512 fcca1e109b891a5889405ad3e08d965068ce8bfedc9992ff26fb451d8673210e5eea5dee0e9987286d68f3fb796379da63ca5798078ce61c6360721c6b55094f

memory/1008-156-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1420-155-0x0000000000530000-0x0000000000560000-memory.dmp

memory/1420-158-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3b41f4c0caf004b68acce90c327f55d2
SHA1 012351675732e7003151c0939ae0ac7ce15f9c8a
SHA256 61003bd006a389d282ca8ffc50975d1d84c5ec6c1010f04b0735d47708803c79
SHA512 606588acdd2990515a9fb161d4d0d51b4384daaee542fdcdb8a85723fcbc3512d3002b5c604da53298e5da8719b2a42754033d8f32cb62bec06ed151d5f6728a

memory/2288-166-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1008-164-0x00000000002A0000-0x00000000002D0000-memory.dmp

memory/1008-168-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d5bed48e0b5cd904e319d76ec8c09b28
SHA1 d398946fb3cde21eeee54cf509268fbe16f7a043
SHA256 3fd0d912085009e77487a1e1364b806dc1ab9571648342b4917dd57ee4d044c0
SHA512 4fd11bd66cc3a64b3ad36a592972562ceb97da4ddd3bd028849b3dd363c5fe7987fe6fb9183760a7d412caba02fc43ac70283b2e2c788a989442c2502b8a4278

memory/2288-172-0x0000000000370000-0x00000000003A0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1c3d5b322a2443561fddf79757fd1e4b
SHA1 71f9c2ab8e9dc56761cabf76d7cb29fa96b07915
SHA256 547b81465031da03293bf17e1f02b7bdbbbd2b0bfa42ff6b4719ca989cbd509c
SHA512 c2462409a13c3a5c19592abf67c2b064619ebdd3b3a7f61addb87c6f3e6b34cf6e0114f4e6b4d800725a60dbd14b3bf8024ec81c9c66d757da7016e1087aafdd

memory/2288-176-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6b7f4ff023cdcac498071eac16e22032
SHA1 adb22a6d4d64d4824fe847faaa27dd7d250977d8
SHA256 006d9a108fa7fc69028db56d6230042d3d1b85092fb69763ce9b13db7b145f51
SHA512 e6b8e0f53d6daf70126bd24b939aeb16dc1199c5a1e2a85d40ce2100c0b94dba4ee7fa0914db2dd658629e738116e5c37329de43b26a8d234815bac3d3c50331

memory/1248-182-0x0000000001C10000-0x0000000001C40000-memory.dmp

memory/1276-184-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1248-186-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8d8121fd3e7068038706e828782c8024
SHA1 528d4d1a0b9a166b3d3af5f8f2fdeb0bff75cefc
SHA256 6babca6713680589ecf2149716a4ccf43faba1f055d4e5eabbfb7025bcc3ac31
SHA512 e304e64da90b65d8f307ac2d63e869833cfb5d94bd1ccc7461bd7f6efcf152dcce4340a9e7da5ec2679952a3d51af2411739ea0ac5d17d87d8bf16318f6622fe

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2e37272beb2f0f91c44fc437e32cdf55
SHA1 188f9a8da11d70f2f506de7aa534bd4a63756ded
SHA256 6b5175712d9864b4f818e4a0fae034a12efe23b43bfb6edf687b79d699b909f1
SHA512 58970186e97560cbe5eb331c1931eb7d5cc6e30f843b00ee5952eee89aa909cf7898243e78f35a5392a08222589729c497b9ca759c0cabb646f9620e1aacb239

memory/2920-192-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1276-194-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a61a90e0e82fe092cfb5973a15ea4c5f
SHA1 b07507fe35f7f24a9590dd3eef359bf3a8164b22
SHA256 b0cc49d59d82d0184de0a83ff50cd0d6a9d9dab4a7ea71f4f39d756aa4be24c9
SHA512 fd1057c31aa3e73b07eb1c503d3f88ec9bfc3a0c59380026e3fa829bd413816360ece9c58b70fb74e0819690957843fbbd90bb1373b30ae51eaf21c36664e506

memory/2920-202-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 07ad80c68b9fffa6a855630c46714ade
SHA1 39703bc6da95344bd605c0c461111f9491c601b0
SHA256 f5337f3c136d36b55b3b3ec05aafb18712d91f357d08fc35dbe0250073dbf35a
SHA512 d1e25bf0b801e1080249f24c566c1c28f8bf78b2812a14e4369fabc87c95153ad348cf0932ae52ec84ba13d5a4b583782020ee4f7cdbc63c5a668b16b2134949

C:\Windows\SysWOW64\drivers\spools.exe

MD5 dce29417fe06b91a4d09c97a0a09638b
SHA1 855234826c78d6cbe9cdc529e602012e4025d9f7
SHA256 2cce0c9f75b5caa997d0080ed2773092e62085866322139f9be13462455981c2
SHA512 4264f8558f93c3f2f7fb777406f4bbd9f1e464f4d46192e906d4068d9be10601a27761014b837d740c7ee49c5f93b891ef07873112a741a2d420b1f67830954a

memory/2976-208-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3024-210-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 53c9707d09c867d7b75781420f40db57
SHA1 4267d17fd44747e98ca47a93bef0d83e6387432e
SHA256 98ba50fb9dc4b7a180d56058ed1fb0857fd4e5a49b4f904217c6ed13c4a2900a
SHA512 ae7b86254cc68dcf0e624bf52434695060e3cf0d72fe25ac138719ca3b047703659e9cf7ca0113f178480ec7d56064bfe839b9441f7281f5ed683cc27210ae87

memory/2976-218-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a115201fc52675293706faf6544c3edb
SHA1 47544a25952ba5f66377d6fe6896313ea632599d
SHA256 b05ec31a07b4c8d3c4b5060820ca77369ad75ee30dccc34caeb7a18f04383ec7
SHA512 5dde78366641171d3e9af7527420fdc60a8b60fdd1639c20aa8618f44c1a63c18e1701e05c5b1187a8ef50d0f831757d12f87b8b3e03ac16ba3d83c08ac1c23d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f216b2413d7b03ec7753442fc6e3bf04
SHA1 0636b5dc185970b988d4e13e0c8beecd46c275c2
SHA256 5d2d17801d8809cf9b2c7feee358b3a0f60fce5b7f2825385da5c991a687a594
SHA512 64ba1627cf53e14665dfadc69bff888123b4864d9fd508eae8ba8971bf5a8d08eef0bfa309600ed3081e554b283cd58e676bfc41e1b8b123c448f1ee74a6fcc7

memory/2580-227-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 101c94d8f4099e1d71415753752905a7
SHA1 c3a131a2ab6832ee1004785e1142b668f62851b2
SHA256 1d6f69da31632d6effeb0dfbad67056d7ef6866baa464ec96ec8ed5f5f075087
SHA512 d84158df88f745512f3b8b0add3e33489b346b89b7fa0fac97def90491f4bc65ca2798c65f190a1cac37f6e73d57d46feb5399b48f2ec8f83f69f2ea5eb56c52

memory/1736-233-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2476-235-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1736-241-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2352-247-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1800-253-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1860-259-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2180-266-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2416-265-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2372-273-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2180-272-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2080-280-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2372-279-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2080-286-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1448-294-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2808-293-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 20:18

Reported

2024-04-29 20:21

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3620 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Windows\SysWOW64\reg.exe
PID 3620 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Windows\SysWOW64\reg.exe
PID 3620 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Windows\SysWOW64\reg.exe
PID 3620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 3620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 3620 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2028 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2028 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2028 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 844 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 844 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 844 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 3928 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 3928 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 3928 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2484 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2484 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2484 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 3164 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 3164 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 3164 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4688 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4688 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4688 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1828 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1828 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1828 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4764 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4764 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4764 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4380 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1368 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1368 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1368 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4920 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4920 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4920 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 780 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 780 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 780 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4300 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4300 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4300 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4400 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4400 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4400 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1452 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1452 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 1452 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2624 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2624 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 2624 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4816 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4816 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4816 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4556 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4556 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4556 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 5004 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 5004 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 5004 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe
PID 4688 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

Processes

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

"C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

C:\Users\Admin\AppData\Local\Temp\359c3d642df88f4a5779f247b1b3dcd086fa5fbf1dd778405d8129de0d18a903.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/3620-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5f08fb3fa475072df4906a25454e0a24
SHA1 8e3343f3b0f9c2816e5dad958b71b3bfc10166ec
SHA256 efcfe1059d017ac036213bc7e940e63f6649e859b6bb9b7b75aacef5bdefbf33
SHA512 2ea90de8628b73b26df4305bed8c921b288cb4efc420f9ccf99637aa94d535e797f544a0d0d7cdd87712fafe63033b81d43e180461e9a5ee3952b5fef4ff1fc6

memory/2028-6-0x0000000000400000-0x0000000000430000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3620-9-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3e22a7d0660295f4ea1273c649c08a6c
SHA1 1de710bb50d2a71b19c943a28f37c15cf9c79cea
SHA256 418b4f1d49e19673f01a8560387bc8b6753cb2d3131f7eaf2391308f91e58b24
SHA512 99905c88b0811f77f7637c6c885c196e777346c8d0c41ae586980473f9ca1578f7c16a02ea1479c2ea3ca5d8a24002771de5e44b31ccc232263976f921dba76a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ffae328274ff8bc8aee91c5e08ff353e
SHA1 45f6d72c83c66394eae77ceb2a17a89d7106b12d
SHA256 7a268469076f3fb5b20186b1a37a9ffdbdaeae0079a1ae12ca0933f7254ad7a4
SHA512 ec0ec76f98119176bdd4fb8b92505bc77e92ca706484132f17e70d3719d1df8894bc1b07e9d41e159376c1b4c07033ad85a6cd1b60b1d8e5c8e36ddfb7d3e05d

memory/844-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2028-22-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ef36a80517bd4ebd30d4585c8435044b
SHA1 c0c1639665b799884937c9c43378bca2347c772f
SHA256 abb289c3c8f254308104257020401d10a1a1ca31c73b540bf717876ae6f99a76
SHA512 aec69736db4fd56295f7423a0622364d8542c89f6e1ee182e8d0f68a8c277467a257cd7a8b03786ba30a7726ec5fda25a2925d7b975fe98886df0d1b2312bbe1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 dafed2c3a57a31345dd6f48a1a77a066
SHA1 9262fb78d321dac60b899c00e1df4fdbf4790812
SHA256 1f7be90da5e5a930f03e8e3861d3b99617f7169cc6aae859906c5ca91e02f26e
SHA512 f1fa67cf7435519d3b35de3f40ffde408f678134872e23b7d615ef607179176b17f9d06132c30044d541f9c22b8d51bb5a5b6ec7fa1e603cd84bd6cd14710fe9

memory/3928-33-0x0000000000400000-0x0000000000430000-memory.dmp

memory/844-35-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3432c8ba2c4d5fbac0b9a64882157730
SHA1 2c4862eb24f8e24bfe4bfe6b9d1c17c8bfbdda29
SHA256 3f6549ea892bb36c25e7713768648ab41d244cbf9043af76433df06972bbcc9c
SHA512 a9dba72fae227d3c116052a44079ee7fc6ad8a62dee1df810a4b28442aa0b33b66b1cdea635bca6b2ce353b5d38e9c5298d039e1087c86b85a4ba587abfc643f

memory/2484-44-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2273856d0ab2b853bbbfeeeb173f4c0b
SHA1 3e65166cd0d4357992dc6d913bee2bc3141461a4
SHA256 9247bea92c582d8d5590c850d491066d8d5f014f691612521b9b2d2aca61e3c9
SHA512 e6173aa1c4c9638dca0e4634efa2fd38b3d2f4e4a3d1121f107bc224d8f12c25f1080ade862223f0b394dda66bcb65647a8224036d4e2e96e791963122683704

memory/3928-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6d4ba692fb98eeb823ed9013420d9087
SHA1 f62a909e8128e2149d1516b9c9270cf7d5e97a7f
SHA256 1c39d2015180b057927ea9b0b0ef14a468c16c1fb24e01c8995cc5c40488702d
SHA512 9f3e77cc2b318504075dd25e1e1ca335e3c15ba09863c15452bd26dd682135fafc76d999bc361f2caaed70bdaf3a613c8cf228c0e6e54346c9505bd70a5960df

C:\Windows\SysWOW64\drivers\spools.exe

MD5 73c5eeea15d3a8b0fd9c32bf42edba39
SHA1 f14a81be1777bb261bec18383cc611e6c2652761
SHA256 268e84ef5cfa47082a6951da55040531e64597118f3be46337d5540c0482f64b
SHA512 c318eb3495fd90d04448e3a79025d9e38b37c90e975d400b3005afbce2447f94dcb37e384550048bbc61a22c0c881bb41dfcb5b2b438c9b63e49e4d9a30489e4

memory/3164-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2484-61-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 181d006bfd3e44e808602f822d56457b
SHA1 961d1bd8492aea831da22a2ce984c0c457ca5bd2
SHA256 a2353f50b18bb875070da0b1a86cac49cb26202c73b52a687baaefd65d81545b
SHA512 e054fe7f87093f4b1653ed4c8b2d7f2c3414a9a8c73350df0b0e5740300ee1bc0eae33ea5e2c078c2dfa2874dbd8a1d0b1ad41993560aa9f33ca641668fd1ede

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b24158eb699e364b2cd50d882645d35e
SHA1 9b8b61208d1ba8233427ef939194359508a88c30
SHA256 93950754e73cf932711c7306c061ac1edbdce5b8a5ca52e64423c71106657edf
SHA512 484f4e3329ad098575c3fcf722d60dce94e78c5ab7ae80cc0abe82457fb92b5254a4708b01dd3c7fd117fd5d8a5057ad04f3afa4f4be52a331e9bc3c5033bf5d

memory/4688-72-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3164-74-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ff017bb946e16d5a26edc2260c81eba1
SHA1 13afcaf785f4fc99ede3fa40424a67af67ac8f15
SHA256 fbf1ee2d30a9b55500fcae33f802bb384b48fd382282990053e9c491ab3ed270
SHA512 fc7ad22d38e824022e9df7ce2ada62ccb80d1fb9894a24f0749326cd8751057a0f824dfb14d56e1c1c8bf2756f8df3aac8601aa0666d2ac4c19ea0d7d487bee1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 01e54ed4db626d119d7e3b92c0d808cf
SHA1 14b2372dc082c222dba172b22d0b4df4a5456cdf
SHA256 eefd844cc936313aeb6481b2b17a33f8e21798e65ece261657c2d00db2f9b03b
SHA512 6fc6ebe2a02724ee323de3065d1750d218c69a3ac96a41974b012e56a3fe37353ae838ebdbf3b5286988cdc32cf61bbd4eb6a8ac77489c6a3608f27f6c085f71

memory/4688-86-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 deb1a9525387d823a1037b3ae2c1f087
SHA1 f0b385a925ac8fb8d259113d1625eab443c347e9
SHA256 cae6bcc1386f3733b2df256671e8fb26001c815d44c0c3075494330aadabe96f
SHA512 e017bfb8a40177c235c22cfeee35f8336aef4f6cadcc575950377d16dd2d2163237bf2d6f92b2236d74c66beaf4e37650c75bca2e92869ce8240ed6bdab61a07

memory/4764-95-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9f96e1af787d1ae8cb148c3d1cd640cc
SHA1 6e0d67c38a59c3a222bcdb1e5ca797378ebac4a4
SHA256 ff78513bf273810360418887c3d0c902f2fec18be00ba7db19ea41e230a090a6
SHA512 19aec4b959edea7c2ff1a2b108e2cb80fabc92dcf790b679c1040ecd0867d500ccab44d1bbaa3a91d1e5b6d72541bc8828cfaf6205aa9c43c61f74cb02c13575

memory/1828-99-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 23446aeba2d9acdb8b5e1e95a20542ae
SHA1 ed53a967310408623bf13077633b52e60db7da0b
SHA256 d348a55ffc4b979460ab3d15ce57e77e644364e8a96503c1e105429ac3d84c44
SHA512 6688bb9179d137a6015d4e54e1b10c4867d482e02ece49c2c88fb5b076b19d344e2b4098108a82b2718668589e23cf0dd57668999e3c5e806e5f434951a58856

C:\Windows\SysWOW64\drivers\spools.exe

MD5 98e3d413b05141bb36582bc8f89fd22f
SHA1 030b25e648a586e1687083521500f16f0b9600d2
SHA256 07556d0055e6116a9a6dc1b5006db6625acccc951cece08e467050898f24d3dd
SHA512 d00a2b1cba624aa28acf169ca4e7c1e9a73c471a6cda7c048d9cefe201d8544427a65c0abfc8678de708c32f38dc0f4433c5ef21dec2467905397ce53925331c

memory/4380-110-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4764-113-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f7d8ee4793ed97c312a6ab09376f49fd
SHA1 11b98dd2598f60652b1b1a0333b3a97ff3740d03
SHA256 2206e9ef1065bc90ea73aaaedd4d1972fc0de2edc70399b96bb13fd36ccfd259
SHA512 4176f28504c9d84338d713ef2c7af03cc67636112623597bd3b3f25c0d84a2725bb6ba408ac4e22f3cbf93238cf82ff840075d116ba86142f7c91291f5b8a5b9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c922fb1dbd6968017bf5c14d29cf5ed6
SHA1 4e6a800584d10223f123872382f65b3fe98e65f6
SHA256 63748669fe17d8b74dba6386c221331ff22d7c3ecc64374ce2c42eeb769bed07
SHA512 261a99e17a90def59a421a91aba11f809f49cf5f6a191d9a5745908826afce20b6f5ad0f7c50ec33e279b8fbdaae8dc30e3c5e94482196eeea82a68b7f593c4d

memory/4380-125-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 14066509b8b066ba64cebbabdd14293d
SHA1 2e3598ba4a515117f73abc5d06816dd0cf5aa92f
SHA256 15c672d37e5e4a6018cccfce57ca9a40416d05507fc62ca73cd6cfc357ed4c5b
SHA512 1072a01c7440c4eabeaccf4d73491034829f64589ee94a2a7703a252fa6661a3a5eba68dd7cac427dab17079259a4346c4d9cf4bad515329cc6d443470e894cd

C:\Windows\SysWOW64\drivers\spools.exe

MD5 568c2923288796d51a74bac92f971ca6
SHA1 f33ae0714f49048dd2fab7ec974d4d3a56b6a7bc
SHA256 d74ed6f2500fcfe6774efe07287acdedf2d6b444e4f0063301ec2fd7453acd94
SHA512 dd08b4f48cc2769835edf5c67e34bcb6fc47ac32d5c2486ea0cb46a12a363a004946d22c77a1fd26cf742368566c5bd21525746d9482cd6a44028099ed0ae1bb

memory/4920-136-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1368-138-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5b9a5265520787a005d752db86690b52
SHA1 54c98a7bbd2175d63c17ed9a790a7fd860bce3ef
SHA256 da2c1fb960eaac3d944aacd80ac31a0b703f048b5f6d70117b963fe07c5ecd44
SHA512 30d41440491d87de49e0d932d9f34a0270159f1f5805f3a4d292d16626eadb681b0bedb811111f241778edb87c6d1acd840277bc5e2512ec49edfb084bc4ddbd

C:\Windows\SysWOW64\drivers\spools.exe

MD5 343648a21362106bdff594251219722d
SHA1 9e7f7ee7a4888a0995d5b62d95c193c061858eac
SHA256 2ce970eb054bf3aa5f0a19d65d42d0f51cae9ad5290634b15ac0e8a70397cb35
SHA512 78be06063370e5a247f96d61376558506b6eeebd55e7099966491781bb235174f1074b56b991cb828ef65ba39043e88f25a9160f48fd92675bf6cca2ae20e042

memory/4920-150-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 91a442b6023308fa9b2562782c152068
SHA1 6cd0f1bb67ff3f1e8442fba692918809b23f3ead
SHA256 1810652eb84fd60afe807577a040f8610cae5098a034ba8428dfa4eda0e983d8
SHA512 e8ebe256beeaa51045aab46e08635dc83b1b333273e52ba45f7c754118087e02c6a0bbea8f88da8742ddbbe3f688ed4b0969f278768aac0bbec7806942c2286e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 aaafa19a7902802f4647b95d4cb5393e
SHA1 4e35bc6a5b61f2ec6f4ab4e89ff6df6f7790603b
SHA256 ae43c720fb76a95cd41f551b871c88461f2bb3c221019b00d89cfd857cd370dd
SHA512 9c944117cd7eba5bf2dd4f2fb14a595fb25ca4aafcd3d40d35733f04ca2457a095aa936cbca0c7e51929b2f243c31387747beba1531231f732281c2da04b54d1

memory/4300-161-0x0000000000400000-0x0000000000430000-memory.dmp

memory/780-163-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c80030406ac5f5ec1dc32e6c138b33b8
SHA1 2efa7ed8080872e7110009ff09b7b6d6c0b4bfb3
SHA256 a6dabf75062f103eebce7a8c3b69636780ec458362c57923bcae69adf9cc68ef
SHA512 0a5eabfe2d8938340995807d4b4e91b8a1532dbbb90bafa4912c4e60a8441eaf6b4a8fbde381f5f98eae5e99635b663589e18c379821eb68cad57a1862a093b1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ca9ff0e14aa8990b7ebd747641a2acbd
SHA1 588ae17d2070ac8b5db2399d14954ac39d187664
SHA256 04b5babd6c93e50179ab25606f7f1b4e7867b7ff91216ce2d1437a02b7127070
SHA512 cd33db1c07fcd06967e098a4755f37c0630d979b02205520bd25c73e45d617a01d229a366c9c66000c4cfabbdda1afbeb0166872cc6f23a86acb97fccfae0cc5

memory/4400-174-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4300-176-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 cf286ef6bbd7f363effe3010354166d6
SHA1 55117166ba7760be0a29e1588cf495a6c5b14661
SHA256 74b9aea22e79a6afbaf5cce765948b811f7843628906837d1a57e07334b75dc1
SHA512 7c06514c067b06ff98510a289ea7af306aac864418b5f9a5b4adcac53e08cad309be22929795f52ae67f9964150aefb838fbb04a3647e8172af96ef6926cce65

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2964fc6594d03a116deab4527abcfbaf
SHA1 7a3f278376de9d43239aefee1d5f2166a006d945
SHA256 f4e3559357d35a3b8201e84b9dabffa1c0601cfdaf198167dcc5a83baf92f27c
SHA512 05a9eade27aa17cc3ca06ec2d56bcbd2e5f514afb8a872c8f79576268033a681f8a205f8b01864d4e2e708a58f43b1dfe1b4d77cadd79ced176a34b52fa3b422

memory/1452-187-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4400-189-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 35e3a6b845ef86476386f34ae96e7311
SHA1 af4fe6c3ecd8b4278c98274424a4bcdfd6080ce2
SHA256 8d2b2905200810635c8d12bbb8d15a84162c6da217c778c78414412b98e96012
SHA512 a559e31192c011aaa19c6f9adb12ed716fe5bb06c80d59f629ee0ed19d4c580b0ddc5d31284fafea1e34526d2bf59abfa8140600ae53ec735277bcbf60103793

memory/2624-200-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 62b2777b4a75dbb815ff8bc89f9ff17d
SHA1 7f9b2e878583191ded15b098f245bbf06f4ca9c9
SHA256 87eeb728fa10199e2bd740fbd682e24632e562d88e0d1512303fe7634cf53a3d
SHA512 a4cb102a7280af6b888376a8d30dfe4317ac3e6eb6c1d2ced1bbc4f85b88253acaced7d4298e29fea60db078155fa3336ac6d68f46a8a4aa0543c2389afc7790

memory/1452-202-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 18a001235a93f7314a5a4286bf951450
SHA1 9240cc0ec7eb515023dacfb1909b91ce9fc9a899
SHA256 1704e68e6ff5cd8c59dd9819e0965d0071874356d76c15381592a2975f1935b6
SHA512 35dda51fbf4a2fe50b6f4f968450b675d463583b263f59273eec787348103db5867afc65d1e171f87bb8241de85017e3b126608338d11eaed88f902a0fd71968

C:\Windows\SysWOW64\drivers\spools.exe

MD5 99453724a6f8bb51442aca58be1d7b6b
SHA1 370e12ff03f4080cbfb3614e01e176a7aa2c5709
SHA256 d8164197b672a95e9e306f82c727ef1fb7dc9995f28471af0edda3b4379bb565
SHA512 b42358d3fcf0b199aa16cdd70129f6db0094d16e21da47227a0157a9bcbccde14948b8bada1a237471f2915a3946a1510cfb858ca6866f8d69bcbaca3f1595c4

memory/2624-214-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 880cbfdfa637f46d615b8cbacbcf18ed
SHA1 cabbdbcfe15475aff649bd6dd91d25bffee40e8d
SHA256 ccc8800510bbd193695c0441cbf6a8d12cb0c020ba6fa21e6beac0761d0e1ba9
SHA512 e61845c2ada59a0eb6629af295aa74f6515f9ec83fdd119f81bbb57dc3b9947cf21717bc3e27bb90e75e92b2bc1d32c8b68fd3da07f3bec87d272241ddc77afb

C:\Windows\SysWOW64\drivers\spools.exe

MD5 16396abad749067964c55c6e0e5249b3
SHA1 76e12ffd39e00f3e34513e10143ef85bb2a85022
SHA256 38e7f8fb55a0ac1cfb7379e009f888aafe10db911fd489f02e645d9f81f0880d
SHA512 1244e44c41a8b424ce305caa68e2836cbaf526a38accead2437174e711a8237368b2ffab3215a10f8d4c4d1aefaf3a778cb768357f65b63b610ae34761b6b904

memory/4556-225-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4816-227-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 279a89a9d6e47da016beae62d5ac166d
SHA1 2a2bf28af16a939bfb45234ba6774b4db445b9d6
SHA256 9d18b43464f6e5cf2db243d36bbed66f61da895233ef307c0e0529ef47abc1dc
SHA512 87e7f40b1a2da1c51ab2f845a1a873afec57d1e4d866bc5fdbe074cd0448da9b72b06d1541b2ba7b707a9e7055001f026ee33cc392d92c5f44d524deb86e1736

memory/5004-236-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cb5f9fa74b512ff0126c074311ed04ca
SHA1 713b0fbc0e471097536c797471ff2dde8a3a3666
SHA256 37f54dcbbd9f969b5114a5f213fc17d653f330d146196f25809aaa9390cbcc3f
SHA512 9915d56c430ad5cc454ffce5692ae20dfcc0300f8e4bf6994e30a52ccb36cd85a518bd4536c1b6998bef78b5e2868c2cdf51401f38036b4cbcff9c22d4ef4843

memory/4556-240-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b8a19e09e78cd2d3f6fd970a35eec693
SHA1 4c8d7ce7797491440f6f6cf6aee27515bb47b4cb
SHA256 b0b0a0e5f021cf3cbafafe43471d204db1962f5b598c73eff5e577f527ba3b7f
SHA512 9dd47ed817d4643049d94af0904a281e2171a7029284e395cc0d8a8efc82c30ef94a5324e3e1ae1dbf52797479bdfe6ef14876961a4dad8482880e2324552bc9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1da6680f17d09523e837d411aef33f65
SHA1 5ad31d910de7c236581f266b3ab0dfed89908c4e
SHA256 f772d261e2ec8d9f12672e88466ad216a89217f1e052c58b9849ed0b7973da5c
SHA512 e015e6e1797b3db68d63fe30513e54f06a76e6a871cbf23b6f13cced4f06cf9e28648f85bce6f001be2539730d658031ece0e739c5f15ae44e63ec96e5dc38cb

memory/4688-251-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5004-253-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 92c84e7eee2217edd91398ca4b8009a8
SHA1 778cd17dafd00a0ba142aab357e0c4d4f9e49747
SHA256 69963ea923287af84c4e200e23a8a696c7cb0c95bb2d82c3d3d52ebdbc25734e
SHA512 1045855acfeaa575caa8bf2ecff9f00bda7bd234c1743bb4d0b735c07cd8cd6605713e5fa46a91a9373d66b8c356da5c19492d898ed10f463767824c31dd32a7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7813172b040518df1e9f471186f4351d
SHA1 6f4ee99f3721586358cbcab8341863371b652b46
SHA256 32b9f744b0c2dba772987de8c2496a713ec1706fb732bf670de55d2b5dbf827f
SHA512 71782939535f6311ce26a7ad453dbe6409e24c5e62a92989a84d128dda556b3eaffa300bdfd585108af001566251656a29073a953ce1d28a391488784d55c461

memory/4688-265-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5da5538502cbf59250ad784803db2346
SHA1 157c62acd640bb6179e4427cd27ba54b0910f1bf
SHA256 4bb46dcc26b885dcb7e1939b33f9f148ee16d060d742b2cb524b67e107b545ec
SHA512 a2c3b3f453d5684d0bf1ac7ede5adc066109e55e15d8af9ab0eec973394fb90f11fb27170a2b2caae75c908a9cfd77362d7bcab0ed1411486605b752956a7185

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7c947effb62b830990cb5a2613b9d09b
SHA1 0aecb753990f914646c651c9f452e0b4ccd24919
SHA256 ac282170e26a86498e59ee33fd105bfe6074fd0d0251399704aad2faf4e95fbc
SHA512 040f2071cf95cb1a6b5124a9c164ab5c8be63c7b10c2cf6c58a5d491c88cdf9098a1df60292602dcf2536156308a6a272b14efbbfc9494ab1bdc240a8def5c67

memory/64-276-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4612-277-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2528-286-0x0000000000400000-0x0000000000430000-memory.dmp

memory/64-287-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4388-296-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2528-297-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1320-306-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4388-307-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1320-316-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4664-325-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3764-326-0x0000000000400000-0x0000000000430000-memory.dmp

memory/960-335-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4664-336-0x0000000000400000-0x0000000000430000-memory.dmp